Some malware will try to hide their malicious Internet
Traffic with regular looking traffic. Some will check to see if they
have Internet access before unpacking and sending traffic to their real
locations. This graph shows Internet Traffic to legitimate Google sites
of www.google.com and www.google.nl.(Netherlands). There is also
malicious Internet Traffic to an IP address and URL.

The ".tmp" file is usually deleted as a temporary holding place for the ".exe" file. A ".bat" file can be many things but it is included in malware that is coded to delete the original file after the original file has been renamed and copied to a hidden directory location.

Monday, June 2, 2014

There was a question about Base64 so lets talk about bases.
A "base" is how many "things" you have to communicate with.

In English you have 26 letters.
English is Base26, if you only use lower case "abcdefghijklmnopqrstuvwxyz".

If you include upper case "ABCDEFGHIJKLMNOPQRSTUVWXYZ" then you just included 26 more bases.

Many humans like English. (Base26)
Computers like to read Binary using 1 or 0. (Base2)

Some humans read Japanese.
It is said that you need to know at least 3000 Japanese characters (Kanji, Katakana, Hiragana) to read a Japanese newspaper.
That's Base3000 and that's not even all of the Japanese characters!

When successfully communicating we have to change (convert, encode, translate, whatever) your message from one base to another base.

Unless!
You are hoping that someone who reads the message will NOT be able to understand it.

For example the APT Malware had the call back - 'www.google-blogspot.com:8888'
The creator could have easily left the callback in English.

But instead, it was converted into Base64 to hide from those who easily read English.
It becomes necessary for us to recognize the code we are seeing and convert it into something we are better at reading.

Monday, May 26, 2014

This file on malwr.com looks interesting as somebody tagged it as Chinese APT.
The file did not run correctly as there was no network traffic and no created files.

The goal here is to find Network Traffic or Created Files.
Lets take a look "under the hood".

Start gathering information by just looking around.
Look at the "String" tab in malwr.com under "Static Analysis".

Doing searches on the strings for "http" or "connect" can help, but does not help for this malware.
Lets drag and drop it into Immunity Debugger and look for some more English.
This is not debugging, we are just using a Debugger to look around.

"English-ish" strings that stick out are in the far right column.
These can be Google searched to find their meaning.

Here is the part that we sound like Shawn Spencer from "Psych".
We are not really sure what's going on, but we "see" things.

The string that sticks out is not the String Length "lstrlen" but the fact that it contains a Base64 string.
What? Why?
How do we know it is Base64 and what is Base64?

It is the equal signs at the end that gives it away.
"d3d3Lmdvb2dsZS1ibG9nc3BvdC5jb206ODg4OA=="
The "=" or "==" is added to the end of a Base64 string if the characters it started with are not long enough to finish a Base64 encoding.

Decoding this string using Base64 and Python we see:
Python 2.7
>>> "d3d3Lmdvb2dsZS1ibG9nc3BvdC5jb206ODg4OA==".decode('base64')'www.google-blogspot.com:8888'

This looks like Internet traffic!
But it looks kind of legitimate?
We recognize the words google and blogspot.

Just like biological viruses will try and trick your immune system that they belong there,
computer viruses also will try and hide by looking legitimate.

Red flags:
1) Port 8888.
This is not a common Internet port.
Why isn't is using port 80 (http) or port 443 (https)?
2) Creation date of this URL is 10-jan-2014.
Why so recent?
The real Google Blogspot or blogger.com was created 22-jun-1999.
3) Notice the Name Servers.
NS01.TIANKENG-TIANKENG.NET vs NS1.GOOGLE.COM (blogger.com)

An interesting side note is the name Xiaozhai_Tiankeng is apparently the worlds deepest sinkhole.
It's found in China.

This looks like at least one callback.
We should not assume there is only one but it gives us something to go on.
We can use this to look through our Internet traffic to see how many machines in our network have tried to go to this site.

What about Created files?
We will take a look at that in another blog.